A new group of threat actors has been observed conducting a series of cyberattacks targeting government agencies, military entities, and civilian users in Ukraine and Poland.
According to Cisco Talos’ new advisory, the malicious campaign began in April 2022 and is still ongoing. They primarily aim to steal valuable information and establish persistent remote access.
“The Ukrainian Computer Emergency Response Team (CERT-UA) attributed the July campaign to the threat actor group UNC1151 as part of GhostWriter’s operational activities allegedly linked to the Belarusian government,” Cisco Talos said. writes.
This attack uses a sophisticated multi-stage infection chain, with the initial entry point involving malicious Microsoft Office documents, specifically Excel and PowerPoint formats. These documents utilize hidden executable downloaders and payloads embedded within image files, making them more difficult to detect.
The main focus of these campaigns is on government and military organizations in Ukraine and Poland. Threat actors use social engineering techniques with images and text that look authentic.
“The purpose of these socially engineered decoys is to convince the target user to enable macros, thereby allowing them to start the execution chain,” explained Cisco Talos.
Read more about macro-focused attacks: North Korean APT Kimsuky launches global spear-phishing campaign
Ukrainian and Polish businesses and ordinary users have reportedly fallen victim to these campaigns via deceptive Excel spreadsheets masquerading as Value Added Tax (VAT) returns.
Analysis of the attack revealed that it deployed various malicious payloads, including the AgentTesla Remote Access Trojan (RAT), Cobalt Strike beacon, and njRAT. These payloads allow attackers to steal information and gain remote control of compromised systems.
To mitigate the risks posed by these cyberattacks, Cisco Talos recommended implementing comprehensive security measures. The security firm also includes a comprehensive list of indicators of compromise (IoCs) associated with these threats in its recommendations.
